1146045 – nodejs-qs: Denial-of-Service Memory Exhaustion

Bug 1146045 - nodejs-qs: Denial-of-Service Memory Exhaustion

Summary: nodejs-qs: Denial-of-Service Memory Exhaustion

Keywords:
Status:	CLOSED DUPLICATE of bug 1146054
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-24 11:09 UTC by T.C. Hollingsworth
Modified:	2016-06-09 00:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-24 11:32:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description T.C. Hollingsworth 2014-09-24 11:09:29 UTC

Dustin Shiver of the Node Security Project reports:

The qs module has the ability to create sparse arrays during parsing. By specifying a high index it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash.

Source: https://nodesecurity.io/advisories/qs_dos_memory_exhaustion
Upstream bug: https://github.com/visionmedia/node-querystring/issues/104

CVE request: http://openwall.com/lists/oss-security/2014/09/24/1

Comment 1 T.C. Hollingsworth 2014-09-24 11:32:20 UTC

Jinx. :-)

*** This bug has been marked as a duplicate of bug 1146054 ***

Comment 2 Wade Mealing 2016-06-09 00:38:00 UTC

Nice report though.

Note You need to log in before you can comment on or make changes to this bug.